N>S>A> TAO UNIT
The TAO unit is, for all intents and purposes, a hacking group. The TAO aims to exploit hardware and software to gather intelligence on supposedly foreign entities. This is facilitated by gaining access to telecommunication companies that operate the backbone of the Internet and capturing Internet traffic, as well as intercepting physical devices and inserting monitoring capabilities onto them. Since its inception in 1998, the group has grown to be one of the most important parts of the NSA because of society’s reliance on computers and the access necessary to monitor those communications. The TAO unit was designed to extend previous capabilities for monitoring radio communications to general monitoring of a broad array of networked systems. Since a potential target could be using practically any technology, the TAO unit likely targets network equipment because of the limited number of devices to attack and the broad access it could offer.
In the now infamous files leaked by former NSA contractor Edward Snowden, details of the TAO unit’s tasks, capabilities and functions were released to the general public. For example, the documents exposed information concerning how to compromise systems before they leave the manufacturer, even if they are never connected to a TCP/IP network and other scenarios. Some of the concepts believed to be pioneered by TAO have since been used in credit card skimmer attacks and even USB-based malware. Additionally, there have been many examples of hardware or software shipped with malware already installed and instances of vendors shipping devices where even the most basic security evaluations were not undertaken. While enterprises should plan for and defend against these threats, they must first know how to accomplish it.
The NSA has interrupted the supply chain in attacks so that its monitoring tools will already be present on systems before the devices even connect to a target network. Unfortunately, the supply chain weaknesses are not well understood by enterprises and most are ill-prepared to address hardware that has physical tools already installed on them for intelligence gathering. The physical tool could just send communications to an outside party or it could be used to provide persistence even if the currently installed OS is removed.
While enterprises could reinstall factory operating systems, it is advisable to monitor newly installed systems for any suspicious network access prior to putting them into the production environment.
The reports detailing the NSA’s capabilities are both good and bad: not only do they give the good guys hints about areas to investigate, but they also provide insight for the bad guys and potentially help them shorten the development cycle of future attacks. In regard to man-in-the-middle attacks, the TAO’s QUANTUM program offers fascinating detail on how a communication channel can be monitored, even if the communication channel is encrypted. Enterprises should be aware that attackers outside the NSA are likely hard at work refining the techniques on the QUANTUM capabilities list and will soon seek to apply them to their own targeted attacks — this may already be happening.
Defending TAO techniques: What can be done?
One of the most valuable after effects of the leaks has been giving individuals and enterprises alike the knowledge of where particular technologies and processes, such as network communications and supply chains, are vulnerable to creative attack methods. This should certainly help enterprises prioritize resource allocation toward the defense measures that are needed to prevent falling prey to these issues.
While defending against the NSA itself as a U.S. company simply isn’t feasible, enterprises do have some options. Prior to adopting new hardware or software, enterprises should validate it for tampering. On the other hand, vendors could also provide customers with a method to validate that software and hardware hasn’t been tampered with, such as using signed software. These same steps could be used on a regular basis to look for suspicious activity.
It is also important that enterprises and individuals assume any and all communication is being monitored, even on dedicated circuits. Implementing encryption for all communications beyond merely using a VPN will help thwart tapping and eavesdropping. Enterprises with high security requirements could even protect against attacks using wireless communications through a Faraday cage, though it is unreasonable for most organizations. Alternately, enterprises could get a radio frequency monitor to sweep through their facilities and monitor for unauthorized connections. This is similar to monitoring the network for any suspicious network connections.
In addition to presuming that all lines of communication are being monitored, enterprises could also heed some of the NSA’s own advice around assuming that their businesses are also compromised. It can help keep organizations on their toes if they think they are being targeted by better funded, smarter and more advanced attackers.